The Resilient Entrepreneur, Edition #95
Hi there
I hope you had a great week!
Here are the topics in today's edition:
- Blood, Sweat, and Tears: The Price You Pay for Experience
- Power Plants and Cyber Security: Attack or Accident?
Please reach out with comments, questions, or suggestions for articles!
Talk soon,
Tom
LEADERSHIP FOR RESILIENT ENTREPRENEURS
Blood, Sweat, and Tears: The Price You Pay for Experience
When I was younger, the word “experience” infuriated me. 20 years later, I know that blood, sweat, and tears are the price of experience.
Experience. What a heavy word.
When I was younger, the word sometimes infuriated me. Older colleagues often argued that I couldn’t know, because I lacked experience. Of course, they were right at the time, but arguing that way is most possibly the worst way to talk to a young colleague. You can’t blame young people for their lack of experience; it’s a simple consequence of biology.
Therefore, I avoid mentioning to younger people that they lack experience.
At the same time, being in my mid-forties now, quite a bit of experience has accumulated. Just because it infuriated me when I was younger, the purpose of this article is not to lecture younger people about the lack of their experience, but to reflect on the value of experience. As an example, let’s look back on the roughly 10 years I spent at the helm of Yonder, a B2B SaaS company.
The Wrong People
In most cases, growing a company means growing a team. As your customer base increases, you will need more people to help you deliver your product or service.
We have hired many great people, and we also hired some people who proved to be wrong fits retrospectively. I even had to fire a co-founder.
How come I didn’t know upfront that some people weren’t a good fit for our company? How come we all ignored the subtle warning signs until it was too late?
Well, it’s experience. You can only know what can go wrong with hiring people when you’ve done it multiple times. You can’t learn hiring from a book or from the stories of older, more experienced colleagues.
The Wrong Technology
If you build a software product, you need to make decisions about the technology you use: Database, architecture, frameworks, and components. With the myriad of products out there and the different views and expertise of your development team, making technology decisions is difficult. There isn’t a single perfect solution, and solutions that look compelling at first might end up in an outright disaster later on.
When we built our next-generation mobile app, we decided to replace the database to improve the sync performance. This was the right move given the slow sync performance of our old, first-generation app — at that time, we had few customers and few users, but our user base had outgrown the database and sync engine.
However, during the transition phase, we needed the old and the new databases. Keeping those databases in sync gave us many bugs and problems, and the full demigration of the old database took much longer than anticipated. Why? Because dependencies were harder to manage in production than we ever thought.
How come we didn’t migrate the database before working on the new app? Well, it’s experience again. I’d certainly do this differently today.
The Wrong Strategy
Hiring the wrong person or picking an unsuitable technology are suboptimal, but usually those unfortunate decisions can be corrected.
But how about choosing the wrong partners or investors, or entering the wrong markets? These decisions weigh much more heavily, but still, entrepreneurs make mistakes when making strategic decisions.
Once again, it’s experience. Inexperienced entrepreneurs say yes far more often than experienced entrepreneurs. Over time, I have learned that strategy means saying no. Try to explain this to somebody at the start of their career, when people are full of energy and want to try out all the opportunities out there.
Conclusion: The Value of Experience
If I look back at all the bad decisions I made as an entrepreneur, I could have saved a hefty amount of money, time, and grey hair if I’d known in advance.
Really?
Knowing the outcomes of a decision in advance is impossible in reality. The blood, sweat, and tears are the price you pay for experience.
Furthermore, it takes time to become good at something. So don’t be frustrated too quickly and jump ships — just hang in there, and excellence and experience will follow with time.
CRISIS MANAGEMENT FOR RESILIENT ENTREPRENEURS
Power Plants and Cyber Security: Attack or Accident?
What if electricity goes out due to a cyber attack on a power plant, or even worse, a cyber accident involving a power plant?
Crisis managers do much more than merely manage a crisis. Long before a crisis hits, they work on their crisis attitude and crisis preparation.
Crisis preparation does not just mean preparing your crisis room, but thinking of every possible crisis scenario that might be relevant for your organization.
In this article, we look at a grim scenario: What if electricity goes out due to a cyber attack on a power plant, or even worse, a cyber accident involving a power plant?
Far flung? Not at all. We are hyperdependent on electricity; nothing works in our society if electricity is cut for more than a few hours. I was trapped in a 36-hour blackout earlier this year during my winter holidays. That was a challenge by its own, but imagine what a 36-day blackout in a large city would look like.
Let’s dive into a hypothetical, but not so unrealistic, thought experiment.
Phase 1: Military Cyber Weapon Engineering
How do you invade a power plant with a cyber weapon? Using the example of Stuxnet, such cyber weapons are usually developed by advanced military powers.
Such cyber weapons are typically designed as worms: They propagate automatically, and they have a component that hides the malicious files on infected computers to avoid detection. In this way, they can spread on infected networks and stay dormant long before they become active.
As cyber attacks are usually designed to run on certain IT components, they might stay dormant on the majority of the infected systems, as the targeted IT components are not present on the infected systems. In the case of a power station, think of the relevant IT components as industrial controllers of a certain supplier. Once the worm detects the IT component it was designed for, it activates itself and forces the IT component to misbehave, leading to problems or eventually a breakdown of the infected power plant.
Phase 2: Proliferation
Believe it or not, but many cyber weapons, or at least their activators, are still transferred through infected USB sticks. That’s because power plants are typically air-gapped from the internet.
Therefore, an attacker will use different vectors to try to get the worm on that infected USB stick into the targeted power plant. With this approach, the attacker accepts collateral infections — not all infected USB sticks will reach the targeted power plant, and some of the infected USB sticks will reach and infect other systems than the targeted power plant.
But even though other systems might be infected, the worm stays dormant, as the target IT component is not present on the erroneously infected systems. And because the worm can hide the malicious files to avoid detection, nobody is suspicious.
Phase 3: Accidental Activation
So far, so good. Now, how can such a powerful worm be accidentally activated?
A power plant has a long life cycle, typically measured in decades. Furthermore, contemporary power plants are highly automated and contain many IT components — controllers, activators, sensors, etc.
And during that life cycle, some of these IT components might fail and need replacement. It’s not unthinkable that over such a long period of time, IT components might be changed to upgraded models, or even replaced by similar IT components from new suppliers.
And there you go. After replacing old IT components with new IT components from a different manufacturer, a dormant worm might suddenly activate itself and spread havoc on your power plant. Because your plant was accidentally infected a long time ago, and the worm just waited to detect the components you just installed to activate itself.
The rest is history.
Conclusion
I’m not saying that this scenario ever happened, or that it is the most likely threat to a power plant. But given the hyperdependency on electricity and our highly interconnected world, it’s something we shouldn’t ignore.
Even if you’re laughed at, if you take crisis management seriously, you should embark on such thought experiments now and then.
About Me
Growing a company in uncertain times is like running a marathon — it demands grit, strategy, and resilience.
As a tech entrepreneur, active reserve officer, and father of three, I share practical insights and write about entrepreneurship, leadership, and crisis management — no AI bullshit, no promos, just my thoughts in plain text.
When I’m not solving problems, I recharge and find inspiration in the breathtaking mountains around Zermatt.
Do you like this perspective? Here is how you can get more:
📌 Read all my articles in one place — without paywall, without popups.
📌 Go deeper with my eBooks — practical guides for tough times.
Don’t like any of these options? You can also tip me for my writing.
